Data Security Needs to be Maintained at Each Layer of IoT System

Suhas
Desai, Vice President – Digital Security, Aujas Networks in conversation with
Rahul Neel Mani, Editor, dynamicCIO.com, talks about the various aspects of
the IoT ecosystem and the associated security risks. He also provides a
perspective on framework standardization and the evolving cybersecurity
landscape in the context of IoT.

Q.
While IoT opens a whole new world of opportunities, it has also raised the
business risks significantly. The IoT devices are more accessible to malicious
threat actors and significantly expand the attack surface. What are some of the
key trends you are witnessing?

Multiple surfaces are involved in the IoT ecosystem.
It mainly involves the following – IoT device, Cloud, Mobile Application,
Network Interfaces, API & IoT Platforms. Attackers are targeting these surface
areas to gain unauthorized access to the devices and the sensitive data. This
may also lead to many challenges – privacy issues, fraudulent transactions,
abusive navigations and misuse of connected devices/IoT/API Platforms. Here are
some key trends in the IoT ecosystem and the associated security risks to its
surfaces:

-Insecure
web interfaces for IoT Platforms

You
might be aware of the recent incidents related to compromise of the IoT
platforms’ web interface, leading to privacy issues. This was due to insecure
implementation and configuration of the platform web interface. Attackers
targeted these IoT platforms through SQL injection, XSS, CSRF and other web
security attacks.

- Insecure
IoT devices and network interfaces

Security
flaws in connected cars and smart home appliances have got huge media attention
in recent times. The ‘Lock-pick ‘malware app eavesdropped on the postal code
and sent it to the hacker through messaging. These types of attacks are
increasing on the IoT devices and their network interfaces where attackers are
eavesdropping on the data and stealing it.

- Communication
Channel Security

Insecure
message transmissions over various communication channels lead to privacy
issues and may also lead to fraudulent transactions. Various communication
channels like Bluetooth, NFC, Wi-Fi, Tags, Zigbee, Ethernet and their secure
connections need to ensure message integrity and use suitable encryptions.

- Insecure
Cloud ecosystem

Insecure
cloud interfaces connecting to IoT devices and its platforms are the new
targets to get sensitive customer data. The Cloud APIs, cloud platform and
interface security configurations, and improper data security controls lead to
non-compliance and privacy issues.

-Insecure
mobile and IoT device applications

Insecure
mobile and IoT device applications are another popular surface area where
attackers are targeting to steal sensitive data and tamper/or manipulate
messages to perform fraudulent transactions. Issues related to device theft/loss
and insecure local data storage have been another big concern for the users.

- Insecure
API management

Insecure
API management directly impacts the monetization mechanism of the API economy.
Many API management platforms are having built-in security. However, security
flaws during the integration with the IoT platform (or/and cloud systems) could
expose sensitive data.

Q.
Most of the popular companies in the IoT devices space are mostly start-ups,
which probably cannot bear the cost of a large team of security experts and
white hats to ensure secure deployments. What could be a way out to this
problem?

Most of the IoT device makers are new
entrants in the ecosystem, but they are really doing an excellent job in terms
of innovation and quality of the devices. However, security of the devices is
(and should) be a concern for everybody. Cost optimization on hardware and
software components are great. However, recent security incidents involving
consumers as well as the service provider systems should ring the alarm bells.
It is high time we look at security as top priority.

With limited security budget, they can opt
for offering models to assess the devices on sampling basis and perform
security review on the end-to-end life cycle for at least one client use-case.
This will give them an overview of the types of vulnerabilities and how to
mitigate them. This will also reduce the attack vector while saving cost.

Q.
Commodity pricing places an enormous strain on security engineering and
maintenance of IoT devices. Many of these IoT devices are by-design inexpensive
to manufacture, which means companies are less likely to spend more dollars on
securing them. If this continues, what could be its likely impact on
cybersecurity?

This is true. Today, very few companies are
serious about securing their devices and making investments into security
engineering. But, given the fact that this industry has caught the attention of
cyber criminals, service providers would be forced to change.

Moreover, in digital transformation, IoT is
playing a vital role and businesses are opting for this change in order to
provide a better customer experience. However, lack of security is a huge risk
on the business models and brand reputation, because at the end of the day it
is your customer’s data and privacy. The same good customer experience can flip
overnight to a horrible one if there is a security breach. There can also be
regulatory penalties due to non-compliance, etc.

Q.
ISO has a working group assessing how the ISO 27000 family of security
standards might be adapted to address IoT security needs. Also, the
IEEE Standards Association is working on an architectural framework that
is expected to address IoT security, privacy and safety issues. What importance
do you assign to the standards in addressing the security challenges facing the
IoT industry?

ISO, IEEE standards Association, ITU, Internet
of Things Consortium and few other working groups are working towards
framework standardization. Currently there are no defined standards for the IoT
components. It has application, device and network layers and needs to define
standards for protocols, application layer, device layer and network layer
components. Regulatory and compliance standards for the platform, device and
application providers are the other important aspect that needs to be
considered in standardizing the internet of things w.r.t security. Today, there
is no uniformity in the application protocols and its usage at the consumer
level. End user application provider and consumer usage also needs to be
standardized.

Q.
In the future, how do you see the cybersecurity landscape evolving, especially
in the context of IoT?

IoT security landscape is growing rapidly and
its adoption has significantly increased in recent years. Wide acceptance of
the connected things is getting attention of hackers to gain unauthorized
access to the devices and IoT systems. Each layer in the IoT system has a play
and customer data security needs to be maintained at all these layers. There is
a huge potential for cyber security teams to help secure this space. It is exciting
times securing the ecosystem across the full spectrum of Device, API, IoT
platform, Cloud and Mobile Applications.

Event Gallery

Tag Cloud

ABOUT

dynamicCIO is the brand name for the first community that Grey Head Media has decided to serve.
The community stakeholders are CIOs and senior IT decision makers. Should you choose to become a member of dynamicCIO, you will have access to a...
Read More